Squid DNS Header Packet assert() DoS

Another vulnerability discovered by fabs and presented in his “cat /proc/sys/net/ipv4/fuckups” talk at 26c3 is this one. While he was attempting to perform reliable DNS cache poisoning in Squid caching server, he discovered an assert(3) remote DoS in the DNS resolving code which resides in lib/rfc1035.c and here is the equivalent code from 3.0-STABLE21 release of the popular server…

Since fabs was sending header only DNS packets just to determine the limit of DNS requests that could be stored in queue, the ‘off’ that points to the beginning of the name was less than the size (there was no name) of the whole message which is represented by ‘sz’ unsigned integer. Because of this, the above assertion was triggered and this of course leads to a remote DoS since it will terminate Squid.